Security-As-A-Feature And The Economics of Abundance

from the a-feature-not-a-product dept

The always insightful Bruce Schneier has a new piece out arguing that the stand-alone security industry is doomed, as security increasingly becomes a feature of other products, rather than a product in its own right. He points out that hardly anybody wants to buy a "security product." They want to buy useful products -- operating systems, databases, web servers, whatever -- and take for granted that the developers of those products have designed it to be secure out of the box. Schneier points out that consolidation in the security industry has not taken the form of large security firms buying small security firms, but of non-security-focused software firms buying security firms to help bolster the security and reputation of their products. This may indicate that developers of other software products are recognizing that better security is one of the key features customers are demanding in their products.

If you'll excuse me for jumping on a Techdirt hobby-horse here, this is another example of the economics of abundance at work. Security products are increasingly becoming commodities. Obviously the software ones -- anti-virus tools, software firewalls, intrusion detection systems -- have a marginal cost of zero, and even many of the hardware devices are built on commodity parts that get cheaper every month. What hasn't gotten cheaper is the expertise required to put the bewildering array of security tools together into a coherent system that's customized for a firm's particular business. Indeed, as security products have gotten more numerous and more complex, it has actually gotten harder to keep track of them all and know which security tools are the best ones to use in any given situation.

And crucially, this isn't something you can outsource to a third party. I've written before (in the context of e-voting) that encryption isn't magic pixie dust that automatically makes a system more secure. The same point applies to security more generally. Having the best firewall in the world won't do you any good if it's not configured properly, or if your network hasn't been designed with security in mind. And because every large organization has different security needs, every organization needs a slightly different security setup.

This creates a huge opening for companies who understand that customers are not looking to buy a security software product, but a suite of software that they can count on to be secure without worrying about the details. We've pointed out that this is essentially the business Red Hat is in: not selling software but selling the expertise of its employees with respect to the software. Security is a big part of that. "Security software" is an infinite good, and the market for it will get increasingly crowded in the future. On the other hand, the expertise needed to build complex software systems securely is as scarce as ever, and such expertise is one of the key ways that software companies can distinguish themselves from the competition.

Security can be stand-alone

It can be a multi-million dollar industry if the security companies market only to large businesses/corporations such as credit card companies, banks, government, etc... This is because security is NOT their specialty. But when you have a team devoted to security and security only, then their product/services are higher quality. My bank has their own "in-house" IT security team and I feel a bit uneasy about that. Though those employees are more than qualified, I would much more prefer a company that knows every little thing about IT security, especially those who have their own hackers who devote their 9-5 jobs to breaking into the system.

But on an individual/home network level, it would make sense to package security tools into everything because lets be honest, 40 bucks for norton security? f-that...my wallet would be the only thing getting hacked.

Prove it

Any one can say their software is secure, and most firms already do whether it turns it the software really is or not. How will companies in the future be able to show it? How do you build that trust? How can you demonstrate security to a customer?

Re: Prove it

Vulnerabilities are found and advertised all over the web as it is. I don't see that stopping just because developers pull security in-house. Those who have secure software won't be called out on as many holes, and those who lie about how secure they really are will be found out pretty quickly.

Re: Security can be stand-alone

I think even that model -- selling to large entities -- will die eventually. For the standard stuff they'll just buy the same secure software that we home users get. And for the home-grown software that they need... well, that's got to come from somewhere. If there's a company selling secure banking software they'll but it there, otherwise they'll grow their own. Regardless, security is going to be built into the software, not added on afterwards. Your best bet if you're looking to stay un-assimilated is to hire you and yours out as consultants and evaluators, but you won't be selling firewalls.

security "products" are not security "services"

"Security products are increasingly becoming commodities." It seems more likely that Security services, specifically MSSPs are increasingly becoming commodities. I think you and Bruce both have it wrong. It isn't the security industry that is doomed as Bruce states, it is the MSSP space that is “doomed”. Large IT companies are buying small and medium sized managed security services companies and fusing the functions and services they provide into their existing IT service models. There is nothing particularly insightful or new about this. This has been happening for years, think ISS IBM. Security products will continue to flourish the market and so will stand-alone developers of said security products. What won't flourish is the MSSP space because A.) Big IT companies need to sell their IT services as “secure” and B.) Customers will see the benefit of not having to pay for both IT services and MSSP services as long as they are no longer two separate entities. I think this argument confuses people because security "products" are different than security "services". What will likely go away is "security services" because they will continue to be fused with "IT services" sold by IT companies not security companies. If the day comes where we see security "products" completely disappear because we suddenly trust developers to make their products secure, we are all in a lot of trouble.

My uncle once told me an interesting story about security...

My uncle was working for some software firm that created and sold software to third parties. Problem was that these third parties had a tendency to spread along quite a few illegal copies of the product. The management thus decided to search for some copyright protection system and several managers were working for a few weeks to find some solution based upon some hardware USB key. The software wouldn't work without it.
So they found a solution and wanted my uncle to just implement it in the product. My uncle didn't want to do this so he started up a Google page, searched for a crack for this specific hardware key and quickly found hundreds of thousands of pages that explained how you could simply bypass this additional hardware key. He just forwarded that list back to management and asked them if they were really sure if they wanted to implement something that would only give an illusion of security. Management quickly forgot about it, afterwards...

He told me this story as a very valuable lesson. It doesn't matter how secure some solution appears to be. If people want to, they will always manage to bypass it.
Furthermore, the use of a generic solution method is risky because generic solutions tend to have generic cracks that will make it even easier to bypass security.

With security, you want a lot of diversity so a hacker who manages to bypass one part of your security will still have to solve a way to get around the other security systems. When you build a stand-alone security system that hundreds of users will use in their systems then a hacker has only a single system to crack. This is -in my opinion- why stand-alone security products will fail.

it's the end of the beginning

not the beginning of the end.

the information security landscape is changing. "attacks" used to take the form of virii, trojans, spyware and the like. these were automated attacks built by individuals, small teams, or small startups and spread indiscriminately across the internet to any vulnerable host. that game really isn't worth playing anymore thanks to automated security software (anti-virus, anti-spam, anti-spyware).

the current game is botnets, cross-site scripting, spear phishing (or even whaling), DDoS extortion, and other "brute force" techniques. these are largely manual or customized automation attacks that target specific sites or companies rather than the internet as a whole. these attacks are launched by skilled teams that are often funded by organized crime or nation states. is your company equipped to fend off a targeted attack?

the kraken botnet is said to have over 400,000 nodes, is your security infrastructure prepared to tangle with something that huge? how about when it grows to be bigger than google?

these kinds of attacks cannot be dealt with using primarily automated tools alone, you need help from experts, and lots of it.

secure, fault tolerant software is an unholy bitch to write, it takes loads of time, loads of testing, and loads of peer review. sure, you can "build security in" but is a for profit corporation going to invest in re-tooling from the ground up because it's the right thing to do?

Missing the point?

It seems to me the key point of Michael's article is that people don't buy and use computers in order to know or understand about security. It's a necessary evil tag-along. So isn't it better to have experts working quietly in the background (either locally or in-the-cloud - that part is a choice of context and convenience) taking care of that stuff than having to figure out what the threats are and then figuring out what is needed to take care of those threats? I've working in the infosec industry off and on for most of the past 20 years, and it's always for me been an underlying principle that the actual code is just a small part of what you buy when you buy a security product; what you're actually buying is the expertise of the researchers over a period of time.

Oops

Sophos has a similar philosophy with their security software. They seem to be placing emphasis on making the security as automatic as possible. As mentioned, many users today want a 'set it and forget it' solution to data protection. I think, for businesses at least, this is going to be a strong selling point moving forward.